CVE-2020-35653
Description
In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding a crafted PCX file because the user-supplied stride value is trusted for buffer calculations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pillow before 8.1.0 contains a buffer over-read flaw in PcxDecode due to an untrusted user-supplied stride value.
Vulnerability
CVE-2020-35653 is a buffer over-read vulnerability in Pillow's PCX decoder, PcxDecode. The root cause is that the decoder trusts a user-supplied stride value from the crafted PCX file when calculating buffer boundaries, without proper validation. This allows the decoder to read beyond the allocated buffer, resulting in a buffer over-read. The flaw is present in Pillow versions prior to 8.1.0 [1][2].
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted PCX image file with a malicious stride value. Exploitation does not require authentication, as the attack vector is through file processing. A victim must open or process the crafted PCX file using an affected Pillow version. The attack complexity is low, as no special conditions beyond providing the file are needed [1][2].
Impact
Successful exploitation leads to a buffer over-read, which can cause information disclosure through reading out-of-bounds memory. In some scenarios, this could also lead to a denial of service (e.g., application crash) if the read access violates memory protections. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, indicating high confidentiality and availability impact with no privileges required [1][2].
Mitigation
The vulnerability is patched in Pillow version 8.1.0. Users are strongly advised to upgrade to this or a later version. For systems where upgrading is not immediately possible, avoiding processing untrusted PCX files can serve as a temporary workaround. Debian has also released a security update for its LTS distribution [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pillowPyPI | < 8.1.0 | 8.1.0 |
Affected products
12- Pillow/Pillowdescription
- osv-coords11 versionspkg:bitnami/pillowpkg:pypi/pillowpkg:rpm/almalinux/python3-pillowpkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/python-Pillow&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.1.0+ 10 more
- (no CPE)range: < 8.1.0
- (no CPE)range: < 8.1.0
- (no CPE)range: < 5.1.1-16.el8
- (no CPE)range: < 2.5.1-lp152.2.3.1
- (no CPE)range: < 8.3.1-lp152.5.3.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 2.8.1-4.22.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
- (no CPE)range: < 4.2.1-3.14.1
- (no CPE)range: < 5.2.0-3.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-f5g8-5qq7-938wghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHE/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YD/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-35653ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-69.yamlghsaWEB
- github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bfghsaWEB
- lists.debian.org/debian-lts-announce/2021/07/msg00018.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BYVI5G44MRIPERKYDQEL3S3YQCZTVHEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF553AMNNNBW7SH4IM4MNE4M6GNZQ7YDghsaWEB
- pillow.readthedocs.io/en/stable/releasenotes/index.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.